Scammers target firms with W-2 phishing/CEO fraud blend

The United States Internal Revenue Service (IRS) is warning organizations to be on the lookout for scammers that blend CEO fraud with W-2 phishing.

In an alert published on 2 February, the IRS explains that the scam begins with a phishing attempt for W-2 information:

“Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”

Business email compromise scams are nothing new. This ruse, through which an attacker impersonates an executive by phishing for their business email account credentials, has been around for years. In fact, the FBI has been tracking BEC ploys since October 2013.

In that span of time, organizations like Seagate and Snapchat have unintentionally provided scammers with their employees’ W-2 information.

Which begs the question: what’s in it for scammers?

W-2 information is incredibly valuable to a computer criminal because a single W-2 record contains an employee’s name, address, Social Security Number, and other data. Together, this is more than enough information for the fraudster to file a fake tax refund in the employee’s name. Alternatively, they can sell the records on the dark web for as much as $20 a pop, as reported by Brian Krebs.

What’s interesting in this new wave of scams, however, is that the computer criminal doesn’t just settle for W-2 information.

Abusing the same executive’s business email, they commit CEO fraud by contacting payroll or the comptroller and requesting that they authorize a wire transfer to an account under their control. Companies have lost millions of dollars as a result of this technique.

Separately, W-2 phishing and CEO fraud pose a threat to organizations. IRS Commissioner John Koskinen thinks they’re even worse when these two attacks are combined together. As quoted in the IRS alert:

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

Organizations can best protect themselves against W-2 phishing attacks and CEO fraud by training their employees to be on the lookout for business email compromise scams.

That means they need to know not to click on suspicious links or email attachments. At the same time, if your organization ever receives a W-2 phishing email, forward it to phishing@irs.gov.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!